CVE-2023-5086 in Copy Anything to Clipboard Plugininfo

Summary

by MITRE • 10/25/2023

The Copy Anything to Clipboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'copy' shortcode in versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The Copy Anything to Clipboard plugin for WordPress presents a critical security vulnerability classified as CVE-2023-5086, affecting versions up to and including 2.6.4. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's 'copy' shortcode implementation. The flaw specifically targets the plugin's handling of user-supplied attributes, creating an environment where malicious code can be persistently stored within the WordPress database. The vulnerability manifests as a stored cross-site scripting attack vector that can be exploited by authenticated attackers possessing contributor-level permissions or higher, making it particularly concerning for WordPress installations where multiple users have varying permission levels.

The technical exploitation of this vulnerability occurs through the manipulation of the copy shortcode's attributes, which are processed without proper sanitization measures. When an attacker with sufficient privileges creates or modifies content containing malicious script within these attributes, the script becomes permanently stored in the database. Subsequently, whenever any user accesses a page containing the compromised shortcode, the malicious code executes in the victim's browser context. This persistent nature of the vulnerability means that the malicious payload remains active until manually removed from the database, potentially affecting numerous users over extended periods. The vulnerability directly maps to CWE-79: Improper Neutralization of Input During Web Page Generation, which addresses the failure to properly escape or sanitize user input before incorporating it into dynamically generated web content.

The operational impact of CVE-2023-5086 extends beyond simple script execution, potentially enabling attackers to perform various malicious activities including credential theft, session hijacking, and data exfiltration. Since the vulnerability requires only contributor-level permissions, it represents a significant risk for WordPress installations where contributors have access to content management features. The attack surface is further expanded as the compromised shortcode can be embedded in various content types including posts, pages, and custom post types, making detection and remediation more challenging. This vulnerability aligns with ATT&CK technique T1566.001: Phishing via Social Engineering, as attackers can craft malicious content that appears legitimate while executing harmful scripts. The persistence of the stored XSS makes it particularly dangerous for organizations with large user bases where the attack could propagate through multiple user interactions over time.

Mitigation strategies for CVE-2023-5086 should prioritize immediate plugin updates to versions that address the sanitization and escaping vulnerabilities. Organizations should implement strict role-based access controls, limiting contributor permissions to prevent unauthorized content modifications. Additionally, implementing content security policies and regular security audits can help detect and prevent exploitation attempts. The vulnerability highlights the importance of proper input validation and output escaping practices as recommended in OWASP Top Ten categories and defense-in-depth security principles. Security teams should also consider implementing automated monitoring for suspicious shortcode usage and regular database scans to identify potential malicious entries. Given the stored nature of the vulnerability, maintaining comprehensive backups and implementing proper access logging can aid in forensic analysis and incident response efforts.

Reservation

09/20/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00436

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!